
By Michael Phillips | Father & Co.
The Viral Claim
A widely shared post this week (1.4K reposts, 8.2K likes as of this writing) told the story of an Oregon mother who arrived at her son’s doctor’s appointment and was informed she no longer had portal access to his medical records — because he had just turned 13. The post framed this as a partisan act: “This is Democrats stripping parents of the ability to know what medical decisions are being made about their own children.”
The anecdote is almost certainly real. The legal framing is not.
What Oregon Law Actually Says
Oregon’s minor-consent statutes set three specific age thresholds, and none of them is 13:
- ORS 109.675 — Minors 14 and older may independently consent to outpatient mental health and drug/alcohol treatment (excluding methadone maintenance).
- ORS 109.640 — Minors 15 and older may independently consent to general hospital care, medical/surgical diagnosis and treatment, and dental care.
- ORS 109.640 / 109.610 — Minors of any age may consent to reproductive health care, contraception, and STI/HIV testing and treatment without parental involvement, provided the condition is one the state requires providers to keep confidential.
Age 13 does not appear anywhere in the statute. The law gives a 13-year-old no independent authority to withhold routine medical information from a parent. If the statute were the only thing governing the mother’s experience, her full access should have continued for two more years.

So Where Did 13 Come From?
It came from the software, not the legislature.
MyChart — the patient portal built by Epic Systems and used by the overwhelming majority of U.S. hospital systems, including nearly every major system in Oregon — does not offer a way to grant parents partial access tailored to exactly what a given state’s law protects. Instead, health systems configure MyChart’s “proxy access” tiers around a single age cutoff, applied uniformly to every category of care, regardless of whether that specific patient ever sought confidential treatment.
Documentation from Oregon providers shows this cutoff is set well below the state’s actual legal thresholds:
- OHSU: An individual must be 13 or older to hold their own MyChart account; children 13 and older “must have their own MyChart account,” separate from a parent’s.
- Adventist Health Portland: “Children 13 and older must have their own MyChart account. Under age 15: Only parents or legal guardians may request access to the accounts of children under the age of 15” — meaning even though the statute doesn’t restrict general medical consent until 15, the portal architecture forces a parent to formally request continued access starting at 13.
- Providence (which just revised its policy, effective June 30, 2026): Full proxy access converts automatically to “messaging only” the day a patient turns 12 — a full three years before Oregon law gives that patient any independent medical decision-making authority. Providence’s own materials describe this explicitly as “an organizational policy in consideration of state laws,” not a requirement of any specific statute.
- Salem Health: Confirms “partial access” begins at 12-17 “in accordance with Oregon and Federal Privacy Laws” — again, a blanket policy bracket, not a citation to a specific age threshold in the ORS.
The age-13 cutoff nobody voted for came from software, not state law.
This Is Not an Oregon Problem, or a Blue-State Problem
Parents thought they were fighting a law. They were really fighting a design decision.
The same architecture, with different numbers, appears in hospital systems nationwide — including in conservative states with no equivalent minor-confidentiality statutes as expansive as Oregon’s:
- MultiCare (Washington/Idaho): Full proxy access converts to limited access at 13 in Washington, 14 in Idaho — a different cutoff in each state, set by each state’s own confidentiality law, but the same vendor mechanism.
- Yale New Haven Health (Connecticut): Proxy access automatically restricts at 13, tied to Connecticut’s confidential-treatment statute for reproductive health, substance use, and initial mental health treatment.
- Loma Linda (California) and BJC/WashU (Missouri/Illinois): Both restrict full proxy access at 12, requiring the minor’s own consent — plus provider sign-off — to restore broader parental access.
The pattern holds regardless of the state’s politics: Epic’s MyChart defaults to the earliest age at which any category of confidential care becomes available under that state’s law, then applies that single cutoff to the entire account — including the ordinary sprained ankles, cold symptoms, and physicals that have nothing to do with reproductive or behavioral health. A system built to protect confidentiality for a narrow set of sensitive services ends up restricting parental visibility into everything.

The Regulatory Backdrop
Two federal frameworks intersect here, and neither one specifies “13”:
- HIPAA generally treats a parent as a minor’s “personal representative” with full access rights — but explicitly defers to state law wherever state law grants the minor an independent right to consent to a category of care. Providers are left to build compliance systems for all fifty states’ differing thresholds using one piece of software.
- The 21st Century Cures Act’s information-blocking rule requires providers to make patient records readily available electronically — creating pressure to grant broad portal access — while simultaneously prohibiting disclosure of legally protected categories of adolescent care without consent. Providers describe threading this needle as the reason for blanket age cutoffs: it’s easier to restrict an entire account at a conservative age than to build category-by-category filtering that reliably keeps confidential records out of a parent’s view within a single account.
The Real Story
When software becomes policy, accountability gets harder to find.
The mother’s frustration is legitimate, and the underlying problem — parents losing visibility into non-sensitive information their child’s real legal rights don’t yet require states to protect — is real and worth scrutiny. But the accountability target isn’t a partisan legislature. It’s:
- Epic Systems, whose MyChart platform doesn’t support granular, per-service confidentiality filtering, forcing hospitals into blunt, whole-account age cutoffs.
- Individual health systems’ choices about where to set that cutoff — Providence’s is 12, OHSU/Adventist’s is 13, and there’s no indication any of them can point to a specific Oregon statute justifying that exact number over the alternative.
- A gap in HIPAA and Cures Act guidance that leaves this design choice entirely up to vendors and hospital risk-management offices rather than any elected body.
Parents in Idaho, Texas, or Alabama with teenagers on Epic-run portals are living under functionally the same restriction, just at a different age — a fact that undercuts any framing of this as a product of a particular party’s legislature.
Sources: This piece draws on the Oregon Revised Statutes governing minor consent to medical care — ORS 109.640 (general medical, dental, and reproductive health consent), ORS 109.675 (outpatient mental health and substance treatment consent), and ORS 109.610 (treatment for sexually transmitted disease) — read directly from the Oregon Legislature’s published code rather than secondhand summaries. Hospital-system proxy access policies were pulled from each provider’s own MyChart documentation and patient-facing FAQ pages: OHSU, Adventist Health Portland, Providence, and Salem Health for the Oregon-specific comparisons, and Yale New Haven Health (Connecticut), MultiCare (Washington and Idaho), Loma Linda University Health (California), and BJC/WashU (Missouri) for the multi-state architecture comparison. Federal framework context comes from HIPAA’s personal-representative provisions governing parental access to a minor’s protected health information and the 21st Century Cures Act’s information-blocking rule, which requires providers to make records electronically available while simultaneously prohibiting disclosure of legally protected categories of adolescent care. The originating viral claim — an X post from the account @bluelivesmtr recounting an Oregon mother’s experience at her son’s doctor’s office — is characterized here as an anecdote requiring independent verification, not as a sourced fact; neither the parent nor the account has been confirmed.

Keep Father & Co. Free
Father & Co. exists to support parents navigating separation, custody, and systems that are often confusing, isolating, or overwhelming. This work is grounded in lived experience, careful research, and respect for the real stakes families face.
If this article helped you feel less alone, better informed, or more grounded, reader support helps keep these resources free and available to others who need them.
Need help reviewing or organizing court or formal documents?
Father & Co. offers non-legal document review and organization for people representing themselves. This includes clarity, structure, neutral tone, and timeline organization — not legal advice or representation.
Have a story, experience, or resource to share?
Submissions are reviewed with care and discretion. We respect privacy and handle sensitive information responsibly.
Discover more from Fatherand.Co
Subscribe to get the latest posts sent to your email.